SUSE-SU-2024:1301-1
Vulnerability Summary
Timeline
Description
Security update for nodejs20 This update for nodejs20 fixes the following issues: Update to 20.12.1 Security fixes: - CVE-2024-27983: Fixed failed assertion in node::http2::Http2Session::~Http2Session() that could lead to HTTP/2 server crash (bsc#1222244) - CVE-2024-27982: Fixed HTTP Request Smuggling via Content Length Obfuscation (bsc#1222384) - CVE-2024-30260: Fixed proxy-authorization header not cleared on cross-origin redirect in undici (bsc#1222530) - CVE-2024-30261: Fixed fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect in undici (bsc#1222603) - CVE-2024-24806: Fixed improper domain lookup that potentially leads to SSRF attacks in libuv (bsc#1220053)
Affected Systems
- opensuse•nodejs20&distro=openSUSE Leap 15.5
< 20.12.1-150500.11.9.2
- suse•nodejs20&distro=SUSE Linux Enterprise Module for Web and Scripting 15 SP5
< 20.12.1-150500.11.9.2
References (11)
- https://www.suse.com/support/update/announcement/2024/suse-su-20241301-1/
- https://bugzilla.suse.com/1220053
- https://bugzilla.suse.com/1222244
- https://bugzilla.suse.com/1222384
- https://bugzilla.suse.com/1222530
- https://bugzilla.suse.com/1222603
- https://www.suse.com/security/cve/CVE-2024-24806
- https://www.suse.com/security/cve/CVE-2024-27982
- https://www.suse.com/security/cve/CVE-2024-27983
- https://www.suse.com/security/cve/CVE-2024-30260
- https://www.suse.com/security/cve/CVE-2024-30261